Project

General

Profile

Issue #3544

IKEv2 IPSEC with VTI for multiple overlapping (duplicated) subnets

Added by Zbynek Koci 2 months ago. Updated 23 days ago.

Status:
Closed
Priority:
Normal
Category:
network / firewall
Affected version:
5.7.2
Resolution:
No change required

Description

Hello,

I would like to request a helping hand for setup which Im trying to achieve.

Regarding https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN and really few threads containing StrongSwan setups with VTI it was impossible for me to accomplish the desired setup.

Setup:
Public IP (1.2.3.4) on VMware Edge GW -> DNAT/SNAT <-> Internal VM running Debian 10 (SS 5.7.2) with keepalived interface listening on 192.168.1.3 (for HA purpose)
Physically 2 VMs running with 192.168.1.1.& 192.168.1.2

IP-IP tunnel with N customers (e.g. 2)
me:
Public IP: 1.2.3.4
Subnet: 192.168.1.3/32 (yes only one IP)

Customer #1:
Public IP: 5.6.7.8
Internal subnet: 10.10.0.0/15
Internal Virtual Translation?: 200.10.0.0/15

Customer #2:
Public IP: 9.10.11.12
Internal subnet: 10.10.0.0/15
Internal Virtual Translation?: 201.10.0.0/15

vpn-to-cus-1
left=192.168.1.3
leftid=1.2.3.4
leftsubnet=192.168.1.3/32
right=5.6.7.8
rightsubnet=10.10.0.0/15 (200.10.0.0/15)

vpn-to-cus-2
left=192.168.1.3
leftid=1.2.3.4
leftsubnet=192.168.1.3/32
right=9.10.11.12
rightsubnet=10.10.0.0/15 (201.10.0.0/15)

The desired state is that customers don't know each other so their subnets are isolated.
Communication can be initiated on both sides.

Customer #1
me via 192.168.1.3 (1.2.3.4) from 192.168.1.3 to 200.10.0.0/15 (10.10.0.0/15) for customer #1 to tunnel via 5.6.7.8
or
customer via 5.6.7.8 from 10.10.0.0/15 (200.10.0.0/15) to me 192.168.1.3 via 1.2.3.4

AND

Customer #2
me via 192.168.1.3 (1.2.3.4) from 192.168.1.3 to 201.10.0.0/15 (10.10.0.0/15) for customer #2 to tunnel via 9.10.11.12
or
customer via 9.10.11.12 from 10.10.0.0/15 (201.10.0.0/15) to me 192.168.1.3 via 1.2.3.4

I already tried following example configuration for IP-IP tunnel via VTI interface, established but no ping is going through (by tcpdump seems its impossible to catch it back on source). No translation at all yet since typical VPN traffic isnt going through.

Is 5.7.2 applicable here for this purpose? How to configure IP layer for routing?
Do we need upgrade to 5.8.4? Is it safe since on Debian 10 its still marked as unstable.

I understand the mark & virtual interface logic, but Im missing IP translation & condition by which its maintained.

I would really highly appreciate any tip or helping hand in this setup.

Its really impossible to apply IP translation on customer side. Everyone network skilled with VPNs just told me its should be possible but they dont have experience with overlapping like this (they avoid it as much as possible).

Thanks

Kind Regards,
Zbynek Koci

History

#1 Updated by Tobias Brunner 2 months ago

  • Status changed from New to Feedback

Is 5.7.2 applicable here for this purpose?

I guess (only XFRM interfaces need a newer version, but also of the kernel).

How to configure IP layer for routing?

What do you mean? Are you sure you know what you are doing?

I understand the mark & virtual interface logic, but Im missing IP translation & condition by which its maintained.

Really? Why didn't you configure any marks then? (At least your config snippets don't show them.)

By the way, there is an example (that doesn't use VTIs, which might only complicate things) of how subnet mapping can be done on the server, see ikev2/net2net-same-nets.

#2 Updated by Zbynek Koci 2 months ago

How to configure IP layer for routing?

What do you mean? Are you sure you know what you are doing?

Yes in general I know, just dont know how to write IP rules to get working IP layer.

I understand the mark & virtual interface logic, but Im missing IP translation & condition by which its maintained.

Really? Why didn't you configure any marks then? (At least your config snippets don't show them.)

Yes configured, not present in snippet, but even it was UP only with one not overlapping subnet it was unable to receive returning responses on source.

By the way, there is an example (that doesn't use VTIs, which might only complicate things) of how subnet mapping can be done on the server, see ikev2/net2net-same-nets.

Going to check it, hope it will be applicable for our setup where translation is needed both ways & multiple times

I will try to follow provided example. Thanks

#3 Updated by Tobias Brunner 23 days ago

  • Status changed from Feedback to Closed
  • Assignee set to Tobias Brunner
  • Resolution set to No change required

Also available in: Atom PDF